I'm wondering if you could suggest me any way to implement "user roles" in GWT applications. I would like to implement a GWT application where users log in and are assigned "roles". Based on their role, they would be able to see and use different application areas.

Here are two possible solution I thought:

1) A possible solution could be to make an RPC call to the server during onModuleLoad. This RPC call would generate the necessary Widgets and/or place them on a panel and then return this panel to the client end.

2) Another possible solution could be to make an RPC call on login retrieving from server users roles and inspecting them to see what the user can do.

I'm also considering java security frameworks like Apache Shiro and Spring Security... What do you think about them?

1 Answer
1

The first strategy mixes content and presentation - you're locked into providing a GWT front-end for your RPC.

The second strategy allows any kind of front-end technology. Having the RPC return a list of 'capabilities' for the current user is easy to mock during development: just have a hard-coded capabilities object and get the app running. Once you're on top of it you can move to RPC.

It's also easier to test how your app handles permissions/capabilities if the capabilities themselves are just data (without any UI). Having UI in a test really slows down unit tests.

It may be worth you trawling through the GWT presentations on YouTube to see if any of the presenters are describing a similar problem.

How would you code these "capabilities" or "roles"? A list of roles assigned to user-groups? So, a key-value table?
–
csaffiMar 7 '11 at 10:12

Personally I'd return a json object from the server that contains a series of key-boolean value pairs. I'd wrap the json in a JavaScript overlay type: code.google.com/webtoolkit/doc/latest/… You can then have accessors like public boolean canDelete() methods that just return this.canDelete
–
ianmayoMar 31 '11 at 7:17